Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 25 Aug 2015 18:29:52 +0800
From:      Julian Elischer <julian@freebsd.org>
To:        =?UTF-8?Q?Petr_Chochol=c3=a1=c4=8d?= <admin@gyrec.cz>, freebsd-current@freebsd.org
Subject:   Re: ipfw rules for connect port 993
Message-ID:  <55DC43A0.1040700@freebsd.org>
In-Reply-To: <55DC2130.9040004@gyrec.cz>
References:  <55DB16B7.2000602@gyrec.cz> <55DB1E79.9030108@freebsd.org> <55DC2130.9040004@gyrec.cz>

next in thread | previous in thread | raw e-mail | index | archive | help
On 8/25/15 4:02 PM, Petr Chocholáč wrote:
> Hello ,

ignore my previous email, you have answered my questions here.

the firewall set you show is pretty horrible. It really needs a rewrite.
do you want to block the two LANs from each other or block any 
machines on the LANs  from reaching the firewall?
if not then you should start by adding two rules.
ipfw add 350 allow ip from any to any in recv {LAN interface}
ipfw add 351 allow ip from any to any out xmit {LAN interface}
as you do not want to block that traffic..
you should only be looking at traffic on the internet interface..

In your current rule set all the rules are being tested at all 
interfaces which is a waste of CPU and also makes it very hard to work 
out what is going on.

if you DO want to filter on other interfaces then send traffic for 
each interface to a different set of rules, incoming and outgoing.
for example

add 350 skipto 1000 ip from any to any in recv rl0
add 360 skipto 1100 ip from any to any out xmit rl0
add 370 skipto 1200 ip from any to any in recv re0
add 380 skipto 1300 ip from any to any out xmit re0
   etc...

then at each rule set (1000, 2000, 3000...  you only have rules you 
need for that exact flow..

also
you should use a table to hold all the subnets and addresses that are 
there
for example:

you have:

08800         0            0 allow tcp from 85.70.0.0/16 to 86.49.91.98 dst-port 443 setup via rl0
08900         0            0 allow tcp from 85.71.0.0/16 to 86.49.91.98 dst-port 443 setup via rl0
09000         0            0 allow tcp from 84.42.232.0/21 to 86.49.91.98 dst-port 443 setup via rl0
09100         0            0 allow tcp from 84.42.240.0/20 to 86.49.91.98 dst-port 443 setup via rl0
09200         0            0 allow tcp from 80.188.157.0/24 to 86.49.91.98 dst-port 443 setup via rl0
09300         0            0 allow tcp from 89.102.9.0/24 to 86.49.91.98 dst-port 443 setup via rl0
09400         0            0 allow tcp from 89.102.0.0/16 to 86.49.91.98 dst-port 443 setup via rl0

this should all be:
  
allow tcp from table(1) to 86.49.91.98 dst-port 443 setup
and it would appear only in the rules to do with incoming packets to rl0
(i.e. in the rules starting with 1000)

you would populate the table with:
ipfw table 1 add 85.70.0.0/16
ipfw table 1 add 85.71.0.0/16
ipfw table 1 add 84.42.232.0/21
...
etc.


  

I can't actually read your ruleset enough without getting  a headache 
to tell you what is failing.

Also you talked about 10.x.x.x
in your email, and about 2 interfaces, but later you talked about 
different addresses and 3 interfaces.

can you say what is the actual setup. (you do not have to give your 
actual internet IP address.. though you already did.. I would replace 
it with ${OUTSIDE} in the script that makes it..



>
> thank you for your answer.
>
> ad1.
> i send my current firewall rules and record from tcpdump on re0 .
> My LAN is 172.16.0.0/22 (10... it was easy. I think it does not matter)
> My second LAN is 192.168.1.0/24(on this network connection to the 
> IMAP port 993 works)
> My public IP is 86.49.91.98
> ad2.
> Tcpdump on rl0 shows nothing
> ad3.
> Yes . I have gateway_enable="YES" in /etc/rc.conf
> ad4.
> I think yes...
>
> PS : Firewall is not my work . I inherited it.
>
> Thank you very much
>
> Petr Chocholac
>
>
>
> Dne 24.8.2015 v 15:39 Allan Jude napsal(a):
>> On 2015-08-24 09:05, Petr Chocholáč wrote:
>>> Hello,
>>>
>>> I would like to ask you for advice. I can not connect to 
>>> imap.gmail.com
>>> on port 993 from my local network. My LAN is behind freeBSD server 
>>> with
>>> IPFW. Server has two network cards rl0=Internet and
>>> re0=LAN(10.0.0.0/16). Tcpdump on re0 shows three SYN packets without
>>> answers.  What rules should i create?
>>>
>>> I tried someting like this, without success:
>>> #ipfw add 01500 allow ip from 10.0.0.0/16 to any in via re0
>>>
>>>
>>>
>>> Thank you very much for any advice and your patience
>>>
>>> Petr Chocholáč
>>> Brno, Czech Republic
>>>
>>> _______________________________________________
>>> freebsd-current@freebsd.org mailing list
>>> https://lists.freebsd.org/mailman/listinfo/freebsd-current
>>> To unsubscribe, send any mail to 
>>> "freebsd-current-unsubscribe@freebsd.org"
>> We would need to see all of your current firewall rules (ipfw show)
>>
>> You'll want to tcpdump on rl0, to see if the packet is being 
>> forwarded.
>>
>> Do you have the machine configured as a gateway? (gateway_enable="YES"
>> in /etc/rc.conf)
>>
>> Are you doing NAT (Network Address Translation) to remap the internal
>> (10.0.0.0/16) addresses to your internet routable IP?
>>
>
>
>
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55DC43A0.1040700>